Ginzamarkets, Inc.

Open source projects

View the Project on GitHub ginzamarkets

Odin Authenticator

Odin Authenticator is a cookie-based single sign-on system for Apache 2, built with mod_perl. It is a cleanup and rewrite of the GodAuth script. A companion authentication webapp is also provided; this implementation uses Google Apps for Domains as the identity provider.

It is used in Ginzametrics to authenticate access to the internal web services: Resque web panel, Icinga monitoring system, Munin charts, Jenkins continuous integration build server, etc. It is probably not fit for authenticating end users; it definitely haven’t been built with that in mind.

Disclaimer

This software is provided as-is, without any warranty. While it uses strong cryptography to securely sign the authentication cookie, we can’t promise that it’s perfectly implemented. You are using the software on your own risk and responsibility.

How it works?

All the services authenticated by Odin should be configured as subdomains of a single domain. A good convention is to use something like *.i.yourdomain.com — “i” for “i”nternal “i”nfrastructure — so that it doesn’t completely mix with your end user access points. The top-level domain, i.yourdomain.com, serves the authorizer webapp – such as reference App::OdinAuthorizer. The authorizer authenticates user and, when successful, sets a digitally signed cookie for *.i.yourdomain.com that includes username, groups, timestamp, and a HMAC computed from text of the cookie itself, client IP, and User-Agent (to limit potential replay attacks).

Individual Apache servers that use Odin for authentication add a mod_perl handler provided by Apache2::Authen::OdinAuth. The handler checks for the cookie, and validates the HMAC and timestamp. Then it matches the username and groups with its own permissions configuration.

If everything is fine, the request goes through and username is set as with regular HTTP authentication. Additionally, environment variables OdinAuth_User and OdinAuth_Roles are set for the application.

If anything is wrong, the request is stopped and user is redirected to the authorizer webapp to (re-)authenticate.

Pieces

App::OdinAuthorizer

Odin Authorizer is a Perl Dancer webapp that calls out to Google Apps for Domains to authenticate the user. Currently, you configure a chosen domain — anyone who authenticates with Google as someone@the-configured-domain.com is given an Odin cookie authenticating them as someone.

We use Google Apps in our domain for GMail email, docs, and calendar — everyone already has username and password there, so is a natural choice to reuse the account instead of creating a new set of credentials.

Apache2::Authen::OdinAuth

A mod_perl handler that checks for the cookie, validates it, and either sets regular HTTP auth variables (and some custom environment and request variables to make itself distinguishable), or redirects to the authorizer webapp to set the cookie if it is invalid, outdated, or not present.

Chef cookbook

To be released: a Chef cookbook that handles configuration of the authorizer webapp and individual client webapps.